New HIPAA Safe Harbor Law Incentivizes Investment in Cybersecurity

In early January, President Trump signed the HIPAA Safe Harbor Bill (HR 7898 ) into law. The HIPAA Safe Harbor law amends the HITECH Act, incentivizing HHS to take part in industry best practices for cybersecurity. You can read the full description of the new law here.

When understanding the significance of this law, it’s important to consider that in the last two months, cyberattacks against healthcare entities have increased 45%. 

What does this law really mean?

One of the major outcomes of the law is this: it directs the HHS to consider whether a business has practiced industry best practices for cybersecurity in the 12 months prior to an investigated cybersecurity attack. Essentially, the law requires HHS to take into account what a business has been doing from a cybersecurity prevention standpoint, rather than just issuing fines and disciplinary action based on a single cybersecurity attack that may have been out of that business’ control. A business could, for example, be well within industry best practices and still fall victim to a major cybersecurity attack. In this case, the new law would not require a fine based on this single attack, but consider potential fines based on their cybersecurity practices over an entire 12-month period to determine compliance. 

This law is meant to introduce much needed balance to inequities associated with compliance determinations around HIPAA-related cyberattacks. In the past, unnecessarily severe penalties have been applied to businesses that were victim to a HIPAA-related cyberattack. Specifically, businesses who were otherwise in full compliance based on industry requirements and best practices have been heavily penalized.

Why is this law significant? 

In a time where the healthcare industry is being heavily targeted by hackers, this law is one of many efforts aimed at stimulating increased healthcare cybersecurity efforts. 

This law is significant because it provides incentives for healthcare providers to increase their cybersecurity investment in order to protect patient safety and demonstrate regulatory compliance.

Further, the law is an important step towards addressing the major cybersecurity issues in the healthcare sector. By incentivizing increased cybersecurity measures, the law joins efforts to address significant vulnerabilities that hackers continue to exploit within the healthcare industry.

If you are a business in the healthcare industry and you have questions about how this law may affect your business, reach out to us and we can help you navigate this new legislation. Contact us here